Kubernetes实录-第一篇-集群部署配置(2) 配置企业级镜像仓库Harbor

xiaoxiao2025-08-28 15

Kubernetes实录系列记录文档完整目录参考: Kubernetes实录-目录

一、准备工作

1. 配置系统，以及docker环境

初始化系统以及安装配置docker-ce,参考第1篇记录: CentOS7配置docker环境

2. 配置docker-compose

使用docker-compose版本为1.26.0

curl -L https://github.com/docker/compose/releases/download/1.26.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

3. 验证

# docker -v Docker version 19.03.11, build 42e35e61f3 # systemctl status docker Active: active (running) # docker-compose -v docker-compose version 1.26.0, build d4451659

二、生成自签证书

因为我这边是测试以及只是在机房内网使用，因此没有申请证书而是采用配置自签证书的方式。域名：csrepo.ejuops.com

1. 自签证书生成

mkdir certs cd certs openssl genrsa -des3 -passout pass:x -out csrepo.ejuops.com.pass.key 2048 openssl rsa -passin pass:x -in csrepo.ejuops.com.pass.key -out csrepo.ejuops.com.key # 指定-subj参数不用进入交互模式配置 openssl req -new -subj "/C=CN/ST=ShangHai/L=ShangHai/O=eju/OU=ops/CN=csrepo.ejuops.com" -key csrepo.ejuops.com.key -out csrepo.ejuops.com.csr # 配置证书有效期10年 openssl x509 -req -sha256 -days 3650 -in csrepo.ejuops.com.csr -signkey csrepo.ejuops.com.key -out csrepo.ejuops.com.crt

2. 可以查询证书的一些信息

# 1. 查询证书有效期 # openssl x509 -in csrepo.ejuops.com.crt -noout -dates notBefore=Jun 19 03:08:01 2020 GMT notAfter=Jun 17 03:08:01 2030 GMT # 2. 也可以查询更细的信息 # openssl x509 -in csrepo.ejuops.com.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: c6:cb:48:7f:8b:b8:bb:55 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=ShangHai, L=ShangHai, O=eju, OU=ops, CN=csrepo.ejuops.com Validity Not Before: Jun 19 03:08:01 2020 GMT Not After : Jun 17 03:08:01 2030 GMT Subject: C=CN, ST=ShangHai, L=ShangHai, O=eju, OU=ops, CN=csrepo.ejuops.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: xxxxxxxx[这里省略] Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption YYYYYYYY[这里省略]

到这里证书准备完成，留在这里备用。

三、安装配置harbor

版本：1.10.3 安装模式：离线安装(offline)

1. 下载harbor二进制文件包

备注：国内github.com下载时断时续的，最好开启断点续传。

# 根据实际网络带宽使用情况限速下载这里限速500KB/s，断点续传 wget -c --limit-rate=500K https://github.com/goharbor/harbor/releases/download/v1.10.3/harbor-offline-installer-v1.10.3.tgz

2. 安装harbor准备

备注：本文档所有的操作都在root下进行的。安装目录为/opt/app/harbor

解压到安装目录 ~]\# mkdir /opt/app ~]\# tar zxvf harbor-offline-installer-v1.10.3.tgz -C /opt/app/ 将准备好的证书放到安装目录 mv /root/certs /opt/app/harbor/ 目录信息 ~]\# cd /opt/app/harbor ~]\# ls -l drwxr-xr-x 2 root root 127 Jun 19 10:40 certs -rw-r--r-- 1 root root 3398 Jun 1 19:14 common.sh -rw-r--r-- 1 root root 670562154 Jun 1 19:15 harbor.v1.10.3.tar.gz -rw-r--r-- 1 root root 5882 Jun 1 19:14 harbor.yml -rwxr-xr-x 1 root root 2284 Jun 1 19:14 install.sh -rw-r--r-- 1 root root 11347 Jun 1 19:14 LICENSE -rwxr-xr-x 1 root root 1749 Jun 1 19:14 prepare 修改配置文件 # vi harbor.yml # 修改如下信息，其他采用默认 hostname: csrepo.ejuops.com http: port: 80 https: port: 443 certificate: /opt/app/harbor/certs/csrepo.ejuops.com.crt private_key: /opt/app/harbor/certs/csrepo.ejuops.com.key harbor_admin_password: xxxxxxxxx database: password: yyyyyyyyy data_volume: /data log: level: info location: /data/logs/harbor 更新信息，并下载镜像 # ./prepare prepare base dir is set to /opt/app/harbor Unable to find image 'goharbor/prepare:v1.10.3' locally v1.10.3: Pulling from goharbor/prepare a10779388d4e: Pull complete 12b8569f46a6: Pull complete 298230e0a21f: Pull complete ea3847dc8bc4: Pull complete 1b52894b31e5: Pull complete ae5b50c2a4c9: Pull complete 8b279542d577: Pull complete Digest: sha256:c757f65f753a73618c7bea3b6e5d0ab281bb60b91ae8d85b20f6d8657d703861 Status: Downloaded newer image for goharbor/prepare:v1.10.3 Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir

3. 安装harbor

安装harbor ~]\# cd /opt/app/harbor ~]\# ./install.sh [Step 0]: checking if docker is installed ... [Step 1]: checking docker-compose is installed ... [Step 2]: loading Harbor images ... [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... [Step 5]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-portal ... done Creating redis ... done Creating registryctl ... done Creating registry ... done Creating harbor-db ... done Creating harbor-core ... done Creating nginx ... done Creating harbor-jobservice ... done ✔ ----Harbor has been installed and started successfully.---- 查看一些信息 # docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/chartmuseum-photon v1.10.3 f4cd7df55b4a 2 weeks ago 178MB goharbor/harbor-migrator v1.10.3 524036d275a6 2 weeks ago 357MB goharbor/redis-photon v1.10.3 6562f3c58b71 2 weeks ago 119MB goharbor/clair-adapter-photon v1.10.3 75badac8362a 2 weeks ago 61.2MB goharbor/clair-photon v1.10.3 3c0b186089bd 2 weeks ago 171MB goharbor/notary-server-photon v1.10.3 d0f003ba5021 2 weeks ago 143MB goharbor/notary-signer-photon v1.10.3 304f122f4b13 2 weeks ago 140MB goharbor/harbor-registryctl v1.10.3 2ee885ed2f2d 2 weeks ago 102MB goharbor/registry-photon v1.10.3 f470058ab661 2 weeks ago 84.5MB goharbor/nginx-photon v1.10.3 8c88b468cdb0 2 weeks ago 43.6MB goharbor/harbor-log v1.10.3 b0c9e48d015e 2 weeks ago 82MB goharbor/harbor-jobservice v1.10.3 044b1a98e9ac 2 weeks ago 143MB goharbor/harbor-core v1.10.3 6521cd80151b 2 weeks ago 129MB goharbor/harbor-portal v1.10.3 7d107a7d6eb8 2 weeks ago 51.7MB goharbor/harbor-db v1.10.3 7d10c16f9b2e 2 weeks ago 157MB goharbor/prepare v1.10.3 be46b57a9105 2 weeks ago 163MB # docker ps |less -S CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS 06030163f29e goharbor/harbor-jobservice:v1.10.3 "/harbor/harbor_jobs…" 4 minutes ago Up 4 minutes (healthy) 74e2240ed6ba goharbor/nginx-photon:v1.10.3 "nginx -g 'daemon of…" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0 08a128187c24 goharbor/harbor-core:v1.10.3 "/harbor/harbor_core" 4 minutes ago Up 4 minutes (healthy) 58143706b0a1 goharbor/harbor-db:v1.10.3 "/docker-entrypoint.…" 4 minutes ago Up 4 minutes (healthy) 5432/tcp 4ba493895bef goharbor/registry-photon:v1.10.3 "/home/harbor/entryp…" 4 minutes ago Up 4 minutes (healthy) 5000/tcp 2b9ac9d7a907 goharbor/redis-photon:v1.10.3 "redis-server /etc/r…" 4 minutes ago Up 4 minutes (healthy) 6379/tcp 7665b6b28b3e goharbor/harbor-registryctl:v1.10.3 "/home/harbor/start.…" 4 minutes ago Up 4 minutes (healthy) 123ed5421dbe goharbor/harbor-portal:v1.10.3 "nginx -g 'daemon of…" 4 minutes ago Up 4 minutes (healthy) 8080/tcp 0a1317dc03c5 goharbor/harbor-log:v1.10.3 "/bin/sh -c /usr/loc…" 4 minutes ago Up 4 minutes (healthy) 127.0.0.1:1514->10514/tcp # netstat -pltn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:1514 0.0.0.0:* LISTEN 4451/docker-proxy tcp6 0 0 :::80 :::* LISTEN 5200/docker-proxy tcp6 0 0 :::443 :::* LISTEN 5184/docker-proxy

四、使用harbor

1. 浏览器访问harbor UI

https://csrepo.ejuops.com 账户：admin 密码：xxxxxx[实际密码]

可以看到浏览器地址栏显示是不安全的，这是因为使用的是自签名证书导致的

2. 配置docker环境使用该harbor

docker使用自签证书的私有仓库需要配置自签证书根证书到docker环境，使用openssl配置自签证书的方式有所不同，这里使用的方式参考配置企业级镜像仓库Harbor 生成自签证书相关内容。 docker环境配置使用自签证书的方式有多种。这里列出2中方式

私有仓库地址自签证书https://csrepo.ejuops.comcsrepo.ejuops.com.crt certs]# ll -rw-r--r-- 1 root root 1212 Jun 19 10:40 csrepo.ejuops.com.crt #这个就是我们需要的证书文件 -rw-r--r-- 1 root root 1009 Jun 19 10:40 csrepo.ejuops.com.csr -rw-r--r-- 1 root root 1675 Jun 19 10:40 csrepo.ejuops.com.key -rw-r--r-- 1 root root 1743 Jun 19 10:40 csrepo.ejuops.com.pass.key

方法一. 配置系统全局使用该自签证书

# 安装ca-certificates yum -y install ca-certificates # 证书文件放入 /usr/share/pki/ca-trust-source/anchors cp csrepo.ejuops.com.crt /usr/share/pki/ca-trust-source/anchors/ # 更细系统支持证书列表 update-ca-trust # 查看是否更细追加成功 tail -n23 /etc/ssl/certs/ca-bundle.trust.crt # csrepo.ejuops.com #看到这一行说明更新成功了 -----BEGIN TRUSTED CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [这里是省略的意思] xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END TRUSTED CERTIFICATE----- #如果docker守护进程已经启动，需要重启下docker守护进程 systemctl restart docker # 验证 docker pull hello-world:latest docker tag hello-world:latest csrepo.ejuops.com/library/hello-world:latest docker login -u'admin' -p'xxxxx' csrepo.ejuops.com docker push csrepo.ejuops.com/library/hello-world:latest docker pull csrepo.ejuops.com/library/hello-world:latest latest: Pulling from library/hello-world Digest: sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 Status: Image is up to date for csrepo.ejuops.com/library/hello-world:latest csrepo.ejuops.com/library/hello-world:latest

以上说明配置成功了。

方法二. 配置docker服务自己使用自签证书

这里测试的私有仓库域名是： csrepo.ejuops.com

# 配置 DOCKER_REGISTRY=csrepo.ejuops.com mkdir -p /etc/docker/certs.d/${DOCKER_REGISTRY} cp ${DOCKER_REGISTRY}.crt /etc/docker/certs.d/${DOCKER_REGISTRY}/ca.crt #验证，这种方式docker守护进程不需要重启 docker pull csrepo.ejuops.com/library/hello-world:latest latest: Pulling from library/hello-world Digest: sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 Status: Image is up to date for csrepo.ejuops.com/library/hello-world:latest csrepo.ejuops.com/library/hello-world:latest

转载请注明原文地址: https://www.6miu.com/read-5035366.html

Java

最新回复(0)